Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

comparing a field and external file

aniketb
Path Finder
‎07-25-2012 10:28 AM

Hello all,

I'm a very new splunk user. I have this question:

I have a list of verified hostnames. I can put them in any file, .txt or .csv, its just a list.
I also have my hostname field in logs correctly extracted.

I would like to set up an alert if the hostname doesn't match with any approved one from the list.

How should I go ahead with it? Answers or even pointers would be helpful.

Reply
1 Solution
Solved! Jump to solution
Solution

cburr2012
Path Finder
‎07-25-2012 11:45 AM

aniketb,

1) Create the list of verified hostnames as a CSV file. It is easy if the column containing the hostname values is the same name as Splunk's hostname. (i.e. if Splunk calls it "host=bob" your header should be "host" without the quotes.)

2) Open Splunk.

3) Navigate to Manager --> Lookups --> Add New --> Lookup Table File

4) Upload your file and name it hostname_lookup.csv (or whatever you want, have the filename end in .csv)

5) Under Manager --> Lookups --> Add New --> Lookup Definition

6) Name: hostname_lookup , lookup-file: hostname_lookup.csv

7) Now define your search query: index=this_index query_terms_here NOT [|inputlookup hostname_lookup | fields host]

😎 Set your time and click Create --> Alert

9) Schedule your alert and have it trigger when your results are great than 0.

Hope this helps.

View solution in original post

Reply
Solved! Jump to solution
Solution

cburr2012
Path Finder
‎07-25-2012 11:45 AM

aniketb,

1) Create the list of verified hostnames as a CSV file. It is easy if the column containing the hostname values is the same name as Splunk's hostname. (i.e. if Splunk calls it "host=bob" your header should be "host" without the quotes.)

2) Open Splunk.

3) Navigate to Manager --> Lookups --> Add New --> Lookup Table File

4) Upload your file and name it hostname_lookup.csv (or whatever you want, have the filename end in .csv)

5) Under Manager --> Lookups --> Add New --> Lookup Definition

6) Name: hostname_lookup , lookup-file: hostname_lookup.csv

7) Now define your search query: index=this_index query_terms_here NOT [|inputlookup hostname_lookup | fields host]

😎 Set your time and click Create --> Alert

9) Schedule your alert and have it trigger when your results are great than 0.

Hope this helps.

Reply
Solved! Jump to solution

carmackd
Communicator
‎07-25-2012 10:34 AM

upload the host list as a lookup file (save as .csv) host column header named hostname

run this search

sourcetype=<my_sourcetype_name_here> NOT [|inputlookup <lookup_name_here>.csv | fields hostname]
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...